The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. This vulnerability affects all users of child_process.spawn and child_process.spawnSync on Windows in all active release lines. Impact: Thank you, to tianst for reporting this vulnerability and thank you RafaelGSS for fixing it.
https://thecyberthrone.in/2024/07/09/node-js-fixes-multiple-vulnerabilities-cve-2024-27980/